LoFP / valid change in the guardduty (e.g. to ignore internal scanners)

Techniques

• t1685

Sample rules

AWS GuardDuty Important Change

• source: sigma
• technicques:
  • t1685

Description

Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.

Detection logic

condition: selection_source
selection_source:
  eventName: CreateIPSet
  eventSource: guardduty.amazonaws.com